DynA-Crypt Ransomware Steals and Deletes User Data

A newly observed piece of ransomware doesn’t merely focus on encrypting user’s files, but also attempts to steal data from the infected machine, and to delete files, researchers warn.

Dubbed DynA-Crypt, and discovered by GData malware analyst Karsten Hahn, the new threat is composed of numerous standalone executables and PowerShell scripts designed to encrypt files, steal information such as usernames and passwords, and delete files without backing them up, meaning that some of the affected data can no longer be recovered.

The rasnsomware was reportedly created using a malware creation kit, a tool that allows any criminal wannabe to build their own malicious application effortlessly. In the case of DynA-Crypt, however, the actor who decided to create the ransomware didn’t have a clear idea of what they were doing, BleepingComputer’s Lawrence Abrams notes.

The real issue, the researcher says, isn’t the file-encrypting code in this ransomware, although this represents a problem as well. The data stealing functionality, however, is a much greater concern, because the malware can take screenshots of the desktop, record system sounds, log commands typed on the keyboard, and steal data from numerous installed programs (Skype, Steam, Chrome, Thunderbird, Minecraft, TeamSpeak, and Firefox).

To steal the data, DynA-Crypt copies it to the %LocalAppData%\dyna\loot\ folder, then archives it to a .zip file (%LocalAppData%\loot.zip), and then emails it to the operator. The malware also deletes the folders it steals the data from, as well as all the items on the desktop, although it doesn’t steal these as well, meaning that this data is lost forever.

The file-encrypting function of DynA-Crypt is powered by a PowerShell script that uses AES for encryption. The ransomware targets only specific file types to encrypt and appends the .crypt extension to them.

After completing the encryption process, the ransomware displays a lock screen requesting a $50 ransom in Bitcoins. Additionally, it deletes the computer's Shadow Volume Copies to prevent users from restoring their files using them.

“The good news is that this thing can be easily decrypted, so do not for any reason pay the ransom if you are infected with this program,” Abrams explains.

The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.